Re: [Uta] Richard Barnes' Discuss on draft-ietf-uta-tls-bcp-09: (with DISCUSS and COMMENT)
Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 20 February 2015 04:27 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD6571A6EED; Thu, 19 Feb 2015 20:27:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lxg2Dm1LK-xO; Thu, 19 Feb 2015 20:27:20 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E43531A1BD1; Thu, 19 Feb 2015 20:27:19 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 4495E282D5F; Fri, 20 Feb 2015 04:27:18 +0000 (UTC)
Date: Fri, 20 Feb 2015 04:27:18 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: uta@ietf.org
Message-ID: <20150220042718.GR1260@mournblade.imrryr.org>
References: <20150219033433.10815.25308.idtracker@ietfa.amsl.com> <54E56454.7080307@andyet.net> <CAL02cgS+h2jkOChJkoCy7gHvFQEe22SRRAg5om00ZpiHCOi_2g@mail.gmail.com> <54E5B84C.9040400@cs.tcd.ie> <CAL02cgSem5aW+mhPED3C_5NTfA4YRhr5FSUD3+NnTE_t-8y6Gg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAL02cgSem5aW+mhPED3C_5NTfA4YRhr5FSUD3+NnTE_t-8y6Gg@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/H6bafvCVcHcmWK6KwDNxz4pWrjs>
Cc: iesg@ietf.org
Subject: Re: [Uta] Richard Barnes' Discuss on draft-ietf-uta-tls-bcp-09: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: uta@ietf.org
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Feb 2015 04:27:22 -0000
On Thu, Feb 19, 2015 at 09:35:50AM -0500, Richard Barnes wrote: > > > Part of the source of my confusion here is that from the pure perspective > > > of TLS, the server is *always* authenticated (and the client, > > > > Factually incorrect. Anon-DH has been present in TLS since the > > beginning. If your DISCUSS is based on that misapprehension then > > you need to re-consider. > > Well, that brings up another thing that this document should deprecate. ;) > > As RFC 5246 points out: > """ > Note that using non-anonymous key exchange without actually verifying > the key exchange is essentially equivalent to anonymous key exchange, > and the same precautions apply. > """ * Some servers may prefer to know which clients have chosen to not authenticate them, and may offer such clients reduced service or simply have a better audit trail of client policy. This is explained in: https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-13#section-8.2 This is, for example, how I know that though ietf.org's email server has TLSA records and can be authenticated by DANE-capable SMTP clients, it is not yet itself a DANE-capable MTA, and does not authenticate my SMTP server's certificate (it uses anon-DH when connecting to my domain). [ I might reach out to the AMSL email admins and see whether they're yet in a position to upgrade to Postfix 2.11.x and also enable outbound DANE verification. This was not yet an option at the time they first published TLSA RRs a year or so back. ] * A client that knows that it will not in fact check the server certificate, can inform the server of this fact by announcing support for anon-DH ciphersuites in addition to support for various types of certificates that it will ignore. * Such a client interoperates with servers that field no certificates, as well as with servers that field certificates. * Some clients will support only anon-DH, but will be secure because they use channel-binding (e.g., with GSSAPI) to secure the connection, and any negotiation of certificates is then just wasted bits on the wire and wasted processing. > The basis of my DISCUSS is I haven't heard anyone say what they would want > to change about this document to make it suitable for an "unauthenticated" > environment. Regardless of whether there's consensus for changes, if > nobody's asking for changes, we shouldn't preemptively open the door. In an opportunistic context, (TLS) encryption is used simply because it appears to be possible. Cleartext transmission is permitted and used otherwise, and no more security than that is expected. If TLS happens to be possible, hooray, maybe you get more than you expected. So the peers communicate by any means available, but try to be as secure as circumstances allow. In this context, any crypto that is not demonstrably as weak as cleartext, and is still the best that some non-negligible fraction of peers are capable of (e.g. some Exchange 2003 SMTP servers that do at best TLS_RSA_WITH_RC4_128_SHA) is acceptable crypto. If the TLS stack refuses to support that, then communication happens in the clear. The identity function (cleartext) offers less confidentiality (against humans glancing over your shoulder) than ROT13 which is in turn offers less security (against passive attackers) than 128-bit RC4. > After talking with Pete some last night, I think another confusion here is > (predictably) over uses of "opportunistic" (as indeed the title of section > 5.2 implies). > > 1. Using TLS without checking the credentials presented by the remote side > 2. Interoperating with legacy things using whatever TLS settings possible > > I get the sense that a lot of the discussion here, especially from the mail > perspective, is related to the second thing, which is so clearly out of > scope for this document that it doesn't bear mentioning. With opportunistic TLS one accepts both communication where authentication is impractical and communication where cryptography is uses deprecated algorithms that are still sufficiently widely "best available". Thus most Postfix deployments disable SSLv2 (everyone can do better), but not RC4 (enough sites for now cannot do better). The RC4 ciphersuites required for interoperability are also non-PFS. > And what I'm > saying above is that this document *also* doesn't need to say anything > about the first thing, because TLS looks exactly the same on the wire > whether you check the credentials or not. The document is not only about the bits that go on the wire. It is also about checks that clients SHOULD or MUST perform. > I would probably be OK if the "Opportunistic" stuff were scoped down to > say, "This document doesn't say anything about how you choose whether to > use TLS for a given session, just how you use it once you do," and the > unauthenticated stuff were removed entirely. Well, when Postfix uses opportunistic TLS both client and server prefer anon-DH ciphersuites over RSA or ECDSA ciphersuites, clients ignore any certificates the server may return, and at present even EXPORT (which include 40-bit RC4) cipher-suites are allowed. TLS is used routinely in ~70% of email MTA to MTA email transactions, with no user to "click-OK". Where the BCP recommends things that should be preferred, it is largely applicable to opportunistic TLS with SMTP, one just needs to prefer best-practice. Where the BCP attempts to proscribe things that are now potentially vulnerable to attack, but which are still the best available for enough peers, opportunistic use of TLS needs to ignore any advice that would otherwise lead to much cheaper attacks on cleartext. Basically, I'm fine with "raising the ceiling" as high as it seems to make sense, but once the floor is raised too high, the BCP no longer applies to opportunistic TLS. * server authentication needs to remain optional * non-PFS key exchange is still needed * RC4 and SSLv3 are still needed (perhaps another 2-3 years might be enough to change this). * SSLv2, MD5 and <= 64-bit ciphers can go, they are no longer used, but banning them is largely unnecessary. They've disappeared without a ban. -- Viktor. P.S. I am surprised by the repeated statements that "we don't know" what is required for opportunistic security. It is rather simple, what's required is the freedom to adapt to the peer's capabilities, including those of peers in the long tail of the protocol technology adoption curve. Of course at some point truly obsolete protocols are left behind, but that happens long after they are no longer best-practice, rather it happens when they are essentially no longer practiced at all. Best current practices still make it into opportunistic security. They are what should expect happen when the communicating peers are reasonably up to date. Often one even gets better than best current practice, because both peers are "bleeding edge".
- [Uta] Richard Barnes' Discuss on draft-ietf-uta-t… Richard Barnes
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Pete Resnick
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Peter Saint-Andre - &yet
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Richard Barnes
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Richard Barnes
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Pete Resnick
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Brian Smith
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Richard Barnes
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Brian Smith
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Leif Johansson
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Stephen Farrell
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Richard Barnes
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Viktor Dukhovni
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Ralph Holz
- Re: [Uta] Modular vs. modp Peter Saint-Andre - &yet
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Peter Saint-Andre - &yet
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Richard Barnes
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Eric Rescorla
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Peter Saint-Andre - &yet
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Richard Barnes
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Stephen Farrell
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Richard Barnes
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Pete Resnick
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Richard Barnes
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Peter Saint-Andre - &yet
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Peter Saint-Andre - &yet
- [Uta] Modular vs. modp (was: Richard Barnes' Disc… Viktor Dukhovni
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Richard Barnes
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Stephen Farrell
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Richard Barnes
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Leif Johansson
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Daniel Kahn Gillmor
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Leif Johansson
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Peter Saint-Andre - &yet
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Pete Resnick
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… t.p.
- Re: [Uta] Richard Barnes' Discuss on draft-ietf-u… Pete Resnick